© 2008 Websense, Inc. All Rights Reserved.
Blog
Google IE toolbar 404 “hijacking”
02.14.2008 - 3:47 PMPrevious Posts
February 2008+ January 2008
+ December 2007
+ November 2007
+ October 2007
+ September 2007
In our research, we have discovered malicious sites returning HTTP 404 codes (indicating that the web site requested could not be found), and then turning around to serve a page that is filled with maliciousness for display as the error page, sneaky as that may sound. That being said, we do like the idea of having Google’s toolbar prevent the casual surfer from accidentally visiting a malware-laden 404 page.
However, Google’s IE toolbar only “takes over” (we prefer that over “hijack”) when the 404 page is less than 512 bytes, which somewhat reduces the protection it would have provided because in our experience, malicious 404 error pages are larger than 512 bytes.
Another point of interest is how the toolbar handles connection failures. Google says, “When your server is unreachable, the Google Toolbar will automatically display a link to the cached version of your page.” We have previously written about how Google services are being targeted by the black hats for use as a resource to launch their nefarious campaigns.
Consider what would happen if the toolbar sends the user to a cached version of the page (hosted by Google), that *is* malicious. A web page served up by Google’s own web server does not imply that it won’t contain any malicious code. To the average web visitor, a page linked to by Google that is also hosted by Google itself, would probably be safe.
Would the bad guys exploit this trust transitivity factor? We would say yes.
Screenshot of malicious site cached by Google:
In the screenshot above, the site is but one victim in a massive SQL injection attack, as mentioned by ISC.
This is by no means limited to Google alone; other big name brands are just as susceptible to this, as our blog on Microsoft Windows Live Mail last week will testify.
What are your thoughts? We’d like to hear from you.
